You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by David Robinson <dr...@ast.cam.ac.uk> on 1995/10/25 11:33:00 UTC

Re: Apache incompatibility (resend)

[Resent because hyperreal may have lost this for some people]

New patch uploaded, which should conform to Andrew's description.
I misread the spec; the crappy netscape font made '../ cannot be used in this
pathname' look like '/ cannot be used in this pathname' 
[Memo; make sure any dots are in <code>]

31a_include.0.8.15.patch
------------------------

Subject: SSI #include file="/foo/bar" shouldn't work
Affects: mod_include.c
ChangeLog: Disallow includes of files not in the same directory as, or
           sub-directory of, the .shtml file.

*** mod_include.c.orig	Tue Oct 10 23:00:31 1995
--- mod_include.c	Thu Oct 19 14:39:35 1995
***************
*** 360,372 ****
          if(!(tag_val = get_tag(r->pool, in, tag, MAX_STRING_LEN, 1)))
              return 1;
          if(!strcmp(tag,"file") || !strcmp (tag, "virtual")) {
! 	    request_rec *rr =
! 	        (tag[0] == 'f')?
! 		    sub_req_lookup_file (tag_val, r) :
! 		    sub_req_lookup_uri (tag_val, r);
  	    char *error_fmt = NULL;
  	    
! 	    if (rr->status != 200)
  	        error_fmt = "unable to include %s in parsed file %s";
  
  	    if (!error_fmt && noexec && rr->content_type
--- 360,380 ----
          if(!(tag_val = get_tag(r->pool, in, tag, MAX_STRING_LEN, 1)))
              return 1;
          if(!strcmp(tag,"file") || !strcmp (tag, "virtual")) {
! 	    request_rec *rr=NULL;
  	    char *error_fmt = NULL;
+ 
+ 	    if (tag[0] == 'f')
+ 	    { /* be safe; only files in this directory or below allowed */
+ 		char tmp[MAX_STRING_LEN+2];
+ 		sprintf(tmp, "/%s/", tag_val);
+ 		if (tag_val[0] == '/' || strstr(tmp, "/../") != NULL)
+ 		    error_fmt = "unable to include file %s in parsed file %s";
+ 		else
+ 		    rr = sub_req_lookup_file (tag_val, r);
+ 	    } else
+ 		rr = sub_req_lookup_uri (tag_val, r);
  	    
! 	    if (!error_fmt && rr->status != 200)
  	        error_fmt = "unable to include %s in parsed file %s";
  
  	    if (!error_fmt && noexec && rr->content_type
***************
*** 383,389 ****
                  rprintf(r,"%s",error);
              }            
  
! 	    destroy_sub_req (rr);
          } 
          else if(!strcmp(tag,"done"))
              return 0;
--- 391,397 ----
                  rprintf(r,"%s",error);
              }            
  
! 	    if (rr != NULL) destroy_sub_req (rr);
          } 
          else if(!strcmp(tag,"done"))
              return 0;